The intelligence community uses undisclosed vulnerabilities to develop tools that can penetrate the computer systems and networks of its foreign targets. Unfortunately, since everyone uses the same technology in today’s global economy, each of these vulnerabilities also represents a threat to private businesses and individuals. In the future, rather than hoarding this information to strategically benefit employer cronies, the intelligence agencies should commit to responsibly disclosing vulnerabilities it discovers to the private sector so that security holes can be patched.
One of the most serious cyber security threats come from zero-day attacks – attacks designed to exploit vulnerabilities that a developer either does not know about or has not had time to fix. Because this threat is so great, the information security community has developed policies on how to responsibly disclose vulnerabilities.
These policies generally require immediately and confidentially notifying developers of discovered weaknesses and then allowing them time to create a security patch. However, these policies typically also entail public notification within a short period of time, such as 45 days, both to motivate developers to respond quickly and to balance users’ right to know about weaknesses in the software and hardware they use.